binarybeach/bb-plane-fork
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

binarybeachio: fix presigned-PUT signature mismatch on empty Content-Type

Browse source 
Plane's frontend calls getFileMetaDataForUpload() which uses the file-type
library to sniff MIME from magic bytes. For unsniffable formats (plain text,
.json, .csv, etc.) it returns "" — and that empty string was being threaded
through to S3Storage.generate_presigned_post(), signing the presigned URL
with `Content-Type=""`. Browsers can't reliably send an empty Content-Type
header, so the SigV4 signature never matched and R2 returned 403
SignatureDoesNotMatch. UI showed an opaque upload error.

Two-sided fix:
* apps/api/plane/settings/storage.py — default file_type to
  "application/octet-stream" when empty/None. The signed URL now always has
  a non-empty Content-Type the browser can match.
* packages/services/src/file/helper.ts — generateFileUploadPayload now
  prefers the signed Content-Type from upload_data.fields["Content-Type"]
  over file.type. The browser must send EXACTLY the signed value, not its
  own MIME guess from extension. Belt-and-suspenders defense alongside the
  backend default.

Reproduced empirically against R2 with the new keys 2026-05-01: empty
Content-Type signs, then PUT with `Content-Type: text/plain` returns 403
SignatureDoesNotMatch. With this patch, signing "application/octet-stream"
+ sending it back verbatim returns 200.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
binarybeach 2026-05-01 00:30:24 -10:00
parent c7ddc4648b
commit d950222749
2 changed files with 19 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

12
packages/services/src/file/helper.ts
View file

@ -87,13 +87,19 @@ export const generateFileUploadPayload = (
headers: { "Content-Type": "multipart/form-data" },
};
}
// Content-Type MUST exactly match what the backend signed in the presigned
// PUT URL — the AWS SigV4 signature includes Content-Type as a signed header.
// If we send the browser's `file.type` (which guesses from extension) but
// the backend signed `fileMetaData.type` (from the file-type library, which
// sniffs file magic bytes), they often disagree and R2 returns 403
// SignatureDoesNotMatch. Always prefer the signed value.
const signedContentType =
data.fields["Content-Type"] || file.type || "application/octet-stream";
return {
url: data.url,
method: "PUT",
body: file,
headers: {
"Content-Type": file.type || data.fields["Content-Type"] || "application/octet-stream",
},
headers: { "Content-Type": signedContentType },
};
};